Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AI PRP: Request CVE-2024-5982 Path Traversal Causes Arbitrary Upload (RCE), Arbitrary Directory Creation, and File Content Leakage (First Column of CSVs) in chuanhuchatgpt #550

Open
maoning opened this issue Nov 19, 2024 · 5 comments
Open

AI PRP: Request CVE-2024-5982 Path Traversal Causes Arbitrary Upload (RCE), Arbitrary Directory Creation, and File Content Leakage (First Column of CSVs) in chuanhuchatgpt #550

maoning opened this issue Nov 19, 2024 · 5 comments
Assignees
@OccamsXor
Labels
ai-bounty-prp Identify an AI bounty plugin PRP:Accepted

Comments

@maoning
Copy link
Collaborator

maoning commented Nov 19, 2024

Reference: https://sightline.protectai.com/vulnerabilities/2cbac1ac-2561-4f8e-8854-7022973f7422/assess

Require further research in terms of type of payload can be used for vuln verification, should achieve detection effectiveness while minimizing state changing actions on the target system.

Please read the rules of engagement first at #409.
@maoning maoning added help wanted Extra attention is needed ai-bounty-prp Identify an AI bounty plugin labels Nov 19, 2024
@OccamsXor
Copy link
Contributor

Hi @maoning,

I want to help with this. Can you assign this issue to me?

@maoning
Copy link
Collaborator Author

maoning commented Dec 3, 2024

@OccamsXor There are 3 issues assigned to you: https://github.com/google/tsunami-security-scanner-plugins/issues?q=is%3Aissue%20state%3Aopen%20assignee%3AOccamsXor, could you follow up on #434 and confirm whether you still want to work on the other 2 first?

@OccamsXor
Copy link
Contributor

@maoning this is the current status of 3 issues assigned to me:
#402

Hi @OccamsXor,

We are not completely sure on whether we would like to continue with that product or CVE. To help us make a decision, would you be willing to contribute to fingerprints for Craft CMS? If so, please open a new issue and I will be sure to accept it right away.

Thank you, ~tooryx

#406
I sent PR on March 22. Didn't recieve any updates until September. I don't have currently environment to test this PR.

#511

Hi @OccamsXor,

No, currently Tsunami does not have such capability. I will chat with the rest of the team to see if we can find a solution for this.

~tooryx

I want to prioritize and help with this issue.

@maoning
Copy link
Collaborator Author

maoning commented Dec 4, 2024

@OccamsXor Thank you for updating the fingerprint. I have updated the status for #511. You can start working on this issue and please complete the following tasks:

@maoning maoning added PRP:Accepted and removed help wanted Extra attention is needed labels Dec 4, 2024
@OccamsXor
Copy link
Contributor

OccamsXor commented Jan 30, 2025
edited
Loading

Hi @maoning ,

I analyzed the details of this CVE. It seems that the RCE attack scenario assumes the attacker can create a user with a specific username like /etc/cron.d. However, the terminal access to the server is required to be able to create any user in chuanhuchatgpt. Therefore, the arbitrary file upload bug cannot be leveraged into RCE in a real world scenario.

This CVE also contains 2 other bugs which won't be interesting from Tsunami Scanner's perspective.

Can you unassign me from this issue? Thank you.

Ref: https://huntr.com/bounties/5d5c5356-e893-44d1-b5ca-642aa05d96bb
Ref: https://github.com/GaiZhenbiao/ChuanhuChatGPT/wiki/%E4%BD%BF%E7%94%A8%E6%95%99%E7%A8%8B

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@OccamsXor OccamsXor

Labels
ai-bounty-prp Identify an AI bounty plugin PRP:Accepted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@maoning @OccamsXor